Prift Ltd is our parent company registered in England and Wales under company number 13458239 with its registered office at 1 Mayfair Mews, Balham Grove, London, United Kingdom, SW12 8AZ. Prift OPCO UK Ltd is a subsidiary of Prift Ltd and is a company registered in England and Wales under company number 13464853 with its registered office also at 1 Mayfair Mews, Balham Grove, London, United Kingdom, SW12. Together these companies are the Prift Group, but in this document we’ll refer to each company interchangeably as Prift, we, us or our.

Prift OPCO UK Ltd is registered with the UK Financial Conduct Authority as a PSD Agent (reference number 992581) of Yodlee Inc. UK Branch, a Registered Account Information Service Provider by the UK Financial Conduct Authority (reference number: 820700).

We are a financial planning platform which allows individuals to manage their long term financial commitments and goals in one place (Users). Our plan is Users can either sign up with us directly, or as part of a benefit scheme provided by their employer (Business Customer). Users input their financial information (such as their investments and mortgage details) and see a clear overview of what their financial future might look like, based on data collected by Prift using open finance – a revolutionary data sharing set-up between different financial institutions (like banks and pension providers). Our platform also offers helpful hints and tips to get the most out of personal finance services and products, as well as recommendations for providers we’ve partnered with (Partners) that we think will help Users achieve the goals they’ve set on their Prift profile.

For all Users and visitors to our website, Prift is the controller for your information (which means we decide what information we collect and how it is used). Prift Ltd is registered with the Information Commissioner’s Office (ICO), the UK regulator for data protection matters, under reference number ZB292519.

If you are a User that has been given access to our services by one of our Business Customers, or if we’ve identified you as a key contact working for a current or prospective Business Customer, then Prift and our Business Customer act as independent controllers (which means we might share some of your information with each other, but we separately decide what we use it for). If you’d like to know how our Business Customer uses your information, you’ll need to read their privacy policy as well.

When you confirm you’re happy for Prift to receive your information from your existing financial service providers (whether that’s your bank, pension provider etc) Prift and the other organisation will also be independent controllers for your information.

Personal data means any information which does (or could be used to) identify a living person.

We offer our services to individuals aged over 18 in the UK. The information that we do collect is classified as pseudonymised data (which is personal data which doesn’t identify a person by itself but could be used to identify them when matched together with other information).  If you’re adding someone else’s information as part of your Prift profile, please check with them first that they’re happy for you to do so. 

We may anonymise the personal data we collect (so it can no longer identify you as an individual) and then combine it with other anonymous information so it becomes aggregated data. Aggregated data helps us identify trends (e.g. what pages of our website visitors spend the most time on, what percentage of Users have a mortgage). Data protection law does not govern the use of aggregated data and the various rights described below do not apply to it.

UK data protection law requires Prift to identify a legal justification (also known as a lawful basis) for collecting and using your personal data. There are six legal justifications which organisations can rely on. The most relevant of these to us are where we use your personal data to:

a) to fulfil our contract with you if you are a User or use our services directly (and are not a Business Customer)
b) pursue our legitimate interests (our justifiable business aims) but only if those interests are not outweighed by your other rights and freedoms (e.g. your right to privacy);
c) comply with a legal obligation that we have; and
d) do something that you have given your consent (your express permission) for.

The table below sets out the lawful basis we rely on when we use your personal data. If we intend to use your personal data for a new reason that is not listed in the table, we will update our privacy policy and notify you.

If you are an individual, we will only send you marketing communications if you have given your consent (express permission). You are free to change your mind at any time and ask us to remove you from our mailing list by clicking unsubscribe in the email or pop-up message itself or by updating your Prift profile settings.

If you work for an existing or prospective Prift Partner or Business Customer (and you’re not a User), we will only ever send marketing communications to your work contact details, and we always include a link in our emails so that you can unsubscribe at any time. We will also remove your details from our system if our Business Customer or Partner informs us you no longer work for them.

Prift uses HubSpot to help us deliver and monitor the communications we send. Their digital tools let us see whether a recipient has clicked any of the links in our email, which help us understand what content that recipient appears to be interested in and allow us to personalise the content of future of our messages.

Pixels (which are a similar technology to cookies) within those emails enable us to see:
a) if the email was opened
b) where the device opening the email was located (based on the device’s IP address)
c) the type of email service (e.g. Outlook) that was used
d) if the email (or its content) were shared on social media
c) if the email was flagged as spam

We share (or may share) your personal data with:
a) Our staff: Prift employees (or other types of workers) who have contracts containing confidentiality and data protection obligations. 
b) Prift Group: we share information internally with our group companies. 
c) Our Business Customers: we have a service contract and data sharing agreement in place with all our Customers which sets out what information we provide to them as part of our services. If you have any questions about how they use the information they receive, you should ask to see their privacy information.
d) Our Partners: we have a service contract and data sharing agreement in place with all our Partners which sets out what information we provide to them whenever we refer a User. If you have any questions about how they use the information they receive, you should ask to see their privacy information.
e) Financial Services Providers: we notify Users’ financial servicers providers (e.g. your bank or pension provider) that you have given us your permission to access your financial information (solely for the purpose you being able to use our long term financial planning services). 
f) Our supply chain: other organisations help us provide our services and website (such as Google to enable single sign-on where you use your Google account to access our services, our hosting and server provider, internal IT systems, our CRM system and our website usage analysis). We ensure these organisations only have access to the information required to provide the support we use them and have a contract with them that contains confidentiality and data protection obligations.
g) Regulatory authorities: such as HM Revenue & Customs, Financial Conduct Authority
h) Our professional advisers such as our accountants or legal advisors where we require specialist advice to help us conduct our business, or IT specialists to conduct audits on the security of our services.
i) Any actual or potential buyer of our business

If Prift were asked to provide personal data in response to a court order or legal request (e.g. from the police), we would seek legal advice before disclosing any information and carefully consider the impact on your rights when providing a response. 

We will only transfer information outside of the UK where we have a valid legal mechanism in place (to make sure that your personal data is guaranteed a level of protection, regardless of where in the world it is located).

If you access our service or receive a communication from us whilst abroad then your personal data may be stored on services in the same country that the organisation or you are located. 

We have implemented security measures to prevent your personal data from being accidentally or illegally lost, used or accessed by those who do not have permission. These measures include:
a) access controls and user authentication (including multi-factor authentication)
b) internal IT and network security 
c) regular testing and review of our security measures
d) staff policies and training
e) incident and breach reporting processes
f) making regular back-up copies of information

If there is an incident which has affected your personal data and we are the controller, we will notify the regulator and keep you informed (where required under data protection law).  

If you notice any unusual activity on your account (or believe your account has been otherwise compromised) please let us know by emailing us at support@prift.co .

Where we are the controller, we usually keep information for 6 years from the date our User closes their account before we convert it into anonymised information. Sometimes we need to keep it longer, for example to investigate complicated errors or defend ourselves from legal claims. 

We keep analytics information about how visitors use our website interact with our services for 2 years.

We keep information about prospective or existing Business Customer or Partner key contacts indefinitely, or until we receive replacement details or a request to remove that individual’s details. 

You have specific legal rights in relation to your personal data. 

It is usually free for you exercise your rights and we aim to respond within one month (although we may ask you if we can extend this deadline up to a maximum of two months if your request is particularly complex or we receive multiple requests at once).

We can decide not to take any action in relation to a request where we have been unable to confirm your identity (this is one of our security processes to make sure we keep information safe) or if we feel the request is unfounded or excessive. If this happens we will always inform you in writing.

We may charge a fee where we decide to proceed with a request that we believe is unfounded or excessive.

If you want to make any of the legal requests below, you can contact us at support@prift.co :
a) The right of access (obtaining a copy of your data)
b) The right to rectification (correcting your data)
c) The right to erasure (deleting your data)
d) The right to restrict processing (to stop use of your data for a time limited period)
e) The right to data portability (to move your data to another organisation)
f) The right to object (to object to our use of your data)
g) The right to complain to the ICO, who you can contact here. However, we hope that that if you are concerned about how we use your information that you contact us in the first instance so that we can try to help

There are some limited exemptions to these rights, so they may not apply in every scenario and Prift may decline your request (but we would explain our decision in writing if this was the case).

What are cookies?

Cookies are small text files that are downloaded to your device. Cookies contain a uniquely generated references which are used to distinguish you from other users. They allow information gathered on one webpage to be stored until it is needed for use on another, allowing a website to provide you with a better user experience (like remembering your login credentials so you don’t have to type them in every time) and a website owner with statistics about how you interact with their (and sometimes third party) webpages.

Cookies are not harmful to your devices (like a virus or malicious code) but some individuals prefer not to share their information (for example, to avoid targeted advertising).

What does Prift use cookies for?

- to track how visitors use our website or users use our services
- to keep you signed in

The cookies we use are:

Accepting or declining cookies (and how to delete them)

We can only use non-essential cookies with your permission (you will be prompted by a message when you first visit our website, also known as a cookie banner, where you can choose to accept or decline our cookies). 

You can choose to decline cookies but if you turn off necessary cookies, some pages and functions on our website and services may not work properly.

You can also manage cookies through your browser settings or device settings (your user manual should contain additional information).

You can also delete cookies directly with the relevant third parties (for example, you can disable Google Analytics on their website)